Unknown USB Devices are a Fantastic Virus Propagation Method

Recently, I was in Suffern, New York for the Northeast Astro-Imaging Conference. While there I attended a fantastic workshop by Tom Field about his Rspec software. As part of the workshop everyone was supposed to install an Rspec Trial and download a sample data set. Tom made this easier for attendees by providing several USB sticks with the software and data pre-loaded and passed them around to people who forgot or didn’t have the ability to download the data set.

Tom was being a good teacher and enabling his classroom, but all it takes is one bad apple in that group to infect everyone else who uses the USB stick, and if Tom re-uses that stick then anyone at any future workshop. A bad apple doesn’t even have to know they are spreading an infection either, a virus could easily inject itself into the software installer or into the data zip without telling anyone.

Any Device with Firmware Is Potentially Vulnerable

Traditionally, the only USB attacks were viruses embedded in files on a USB storage device, or a specifically crafted attack device. That all changed in 2014 when Karsten Nohl introduced a new class of attack to the world with the appropriately named BadUSB.

BadUSB flips the traditional attack on its head by attacking the firmware of the device instead of the storage. Firmware is a fancy word for the software that runs on the device that makes it work. By hijacking the firmware an attacker can tell your computer “This USB stick is also a keyboard!” And your computer will assume you’ve plugged in a USB hub with a keyboard and storage stick attached. That virtual keyboard could then send keystrokes to the machine telling it to do anything you can do from a physical keyboard.

But it gets better, because the attack targets the firmware of the device any USB device is potentially vulnerable. This means you could have an infected USB hub, USB lamp, USB DVD burner, or – yes – an infected USB data drive.

Now, this means that any device without firmware is still fairly safe, however unless it is from a trusted source I would not plug it in since anyone could add a chip to a normally benign device to turn it into an attack vector.

These Attacks Can Be Very Difficult to Defend Against

A traditional anti-virus will typically stop the normal attack described above. It will scan the files on the USB disk as they’re opened and alert or attempt to clean any infections detected. However, because BadUSB tells the computer that it’s a completely different device included your anti-virus won’t see anything amiss.

Because this attack is at the firmware level, any computer that supports USB plug-and-play – that is any computer running any OS from literally the last 20 years – is vulnerable to this type of attack.

Disabling Autoplay Won’t Save You Now!

Whenever you hear about viruses and USB devices someone always says to disable autoplay, and that is good advice, for normal viruses. Remember how I keep talking about how BadUSB attacks the firmware of the device? Autoplay begins once the firmware has initialized and told the computer what type of device it is. Because this attack is at the Firmware layer it completely bypasses autoplay. Remember, this isn’t a traditional virus infection, this is a sophisticated attack that involves installing a fake USB device that the computer believes is real.

How Worried Should I Be?

To my knowledge, BadUSB (or it’s nastier little brother BadUSB2) have never been detected in the wild. It’s a very sophisticated attack and you’re unlikely to pick it up from just plugging a USB stick into an unknown computer. The fact that the attack is at the firmware level, while it makes the attack so much more devastating, it also means that each attack can only work with very specific devices that the modified firmware runs on. Basically, if you have an attack for a USB camera it almost certainly won’t work with a USB data drive.

What You Can Do

Never plug in an unknown USB device directly into your computer.

In this context, your phone counts as a computer! Even if BadUSB has never been seen in the wild, special attack devices have. I recently heard of someone who had added a keylogger to a USB cable for his keyboard, he did that to keep track of what he did on any computer, but that could easily be modified to upload to the cloud and dropped in a parking lot.

Use a USB data blocker for devices that only need power.

Think about it for a second, should that USB fan you bought ever need data from your PC?

PortaPow USB Data Blocker

These are really easy to use devices that physically block the data pins in a USB connection while allowing the power pins to connect. You can make one yourself by snipping the correct wires in an old cable, or you can buy a compact unit like this one.

Only use USB devices that support signed firmware.

The BadUSB attacks are possible because manufacturers have not implemented a technology called “digital signing.” For this to work each manufacturer would have their own private cryptographic key to sign their firmware. When this key is properly protected and digital signing is properly implemented it will completely stop the BadUSB attack in it’s tracks, since an attacker would not have access to the private key to sign their modified firmware. There are a few USB Storage manufacturers that have begun implementing this, I personally use a Kanguru FlashSecure drive. Both IronKey and Spyrus make similarly protected devices, I’m sure there are others as well.